[codex] Add identity recovery risk guard

[newmattock]

/claim #11

Summary

• add a self-contained identity-recovery-risk-guard module for the User & Project Management bounty
• evaluate password resets, MFA resets, email changes, OAuth relinks, and SAML rebinds before sensitive project access is restored
• detect missing recovery evidence, suspicious sessions, linked-identity drift, SAML domain mismatch, elevated project roles, and restricted object grants
• generate recovery packets, project access holds, session actions, deterministic audit events, an SVG preview, a demo GIF, and a short MP4 demo video

Distinctness

This focuses on account recovery and active-session risk before access restoration. It avoids duplicating the existing broad RBAC/profile/workspace submissions, member lifecycle/offboarding work, institutional recertification, anonymous-review escrow, and identity merge/export slices.

Demo

• identity-recovery-risk-guard/docs/demo.mp4
• identity-recovery-risk-guard/docs/demo.gif
• identity-recovery-risk-guard/docs/demo.svg
• cd identity-recovery-risk-guard && npm run demo

Verification

cd identity-recovery-risk-guard
npm run check
npm test
npm run demo
npm run demo:gif
cd ..
git diff --check
file identity-recovery-risk-guard/docs/demo.mp4 identity-recovery-risk-guard/docs/demo.gif identity-recovery-risk-guard/docs/demo.svg
rg -n "api[_-]?key|private[_-]?key|secret|token|wallet|ssn" identity-recovery-risk-guard README.md

Local results:

npm run check passed
npm test passed: 4 tests
npm run demo digest: e05ebc62fab58e7c
Demo summary: 3 recovery requests, 1 critical, 1 high, 3 project holds, 2 session revocations
Demo MP4: ISO Media, MP4 v2
Demo GIF: GIF89a, 960 x 540
Focused sensitive-value scan returned no matches

AI-assisted with OpenAI Codex; I reviewed and locally verified the implementation before submission.

[newmattock]

@algora-pbc /claim #11